Bloodhound
BloodHound is a web application that maps hidden relationships in Active Directory and Azure using graph theory. It features a React frontend with Sigma.js, a Go-based REST API backend, and uses PostgreSQL and Neo4j databases.
Fed by SharpHound and AzureHound data collectors, it helps attackers identify complex attack paths and defenders eliminate them. Used by both red and blue teams, BloodHound enhances visibility into privileged relationships. BloodHound CE is maintained by the BloodHound Enterprise Team, with the original version created by @_wald0, @CptJesus, and @harmj0y.
Repo Link: https://github.com/SpecterOps/BloodHound
Installation/Updating
- Installation
- Updating
mkdir -p /opt/Bloodhound-CE && cd /opt/Bloodhound-CE
curl -L https://ghst.ly/getbhce > docker-compose.yml
Then I edited the port 8080 to 3003 in docker-compose.yml file to avoid conflict between burpsuite proxy at 8080.
### Bind BloodHound to port 3003
- ${BLOODHOUND_HOST:-127.0.0.1}:${BLOODHOUND_PORT:-3003}:8080
Then we can run it:
docker compose up --build -d ## Build and detach from terminal
# A random temporary password is generated and shown after build has finished.
# We can use following command to see the stdout:
docker logs <CONTAINER-ID>
## we can obtain "container-id" with "docker ps" command
When we have the password navigate to: http://localhost:3003/ui/login and use credentials: admin:<random-temp-password>.
After entering the provided credentials, you’ll be prompted to change the password before gaining access to BloodHound.
cd /opt/Bloodhound-CE # directory where we have docker-compose.yml file
docker compose pull && docker compose up
Sharphound/Azurehound
SharpHound and AzureHound are both data collectors that are part of the BloodHound tool set.
The installation links for both are also available on the BloodHound Community Edition website.
- Sharphound
- Azurehound
# Upload .exe or .ps1 depending on the shell we have then:
SharpHound.exe -c All --zipfilename rezydev # For Basic Collection
SharpHound.exe -c Session, Trusts # For Specific Data Collection
SharpHound.exe -c All --Throttle 2000 --Jitter 20 # For Stealth Mode (Delays Requests)
- SharpHound generates
.zipfiles containing the collected data. - Transfer it to the attack-host.
- Upload the
.zipfiles in BloodHound’s interface for visualization and analysis.
- Ensure you have
AzureHoundandAzure CLIinstalled. - Authenticate using an account with necessary permissions.
# Login using Azure CLI
az login
# Run AzureHound
AzureHound.exe
# By default, it collects data on Azure AD users, roles, groups, and more.
- AzureHound generates
.zipfiles similar to SharpHound. - Upload the
.zipfiles in BloodHound for analysis of Azure attack paths.
NetExec's BloodHound
nxc ldap 10.10.10.10 -u 'rezydev' -p 'Password123@' --bloodhound --collect ALL --dns-server 10.10.10.10
bloodhound-python
bloodhound-python -c ALL -u rezydev -p 'Password123@' -d rezydev.local -ns 10.10.10.10
# --zip flag for zip compressed file.